Last active
March 16, 2021 01:14
-
-
Save srkiNZ84/b9760a23ea969a25464f4fdcbbac47e1 to your computer and use it in GitHub Desktop.
Script to make GCP service accounts and generate kubernetes authentication files for them
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| John Wayne | [email protected] | GKE service account for John | |
|---|---|---|---|
| Barbara Streisand | [email protected] | GKE service account for Barbara |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| USER_LIST_FILENAME="gke_users.csv" | |
| PARENT_ACCOUNT="[email protected]" | |
| GCP_PROJECT_NAME="some-thing-123003" | |
| GKE_CLUSTER_NAME="fluster" | |
| GKE_CLUSTER_ZONE="australia-southeast1" | |
| while read gke_user_line; do | |
| gke_user=$(echo $gke_user_line | cut -f2 -d,) | |
| echo "User is $gke_user" | |
| echo "Creating service account for $gke_user" | |
| firstName=$(echo $gke_user | cut -f1 -d".") | |
| echo "name is $firstName" | |
| #TODO check here that we have permissions to create Service Accounts | |
| gcloud config set account $PARENT_ACCOUNT | |
| echo "Create service account for $firstName" | |
| gcloud iam service-accounts create $firstName-gkeaccess --description "Generated service account for $firstName" | |
| echo "Applying roles to service account for $firstName" | |
| gcloud projects add-iam-policy-binding $GCP_PROJECT_NAME \ | |
| --member=serviceAccount:$firstName-gkeaccess@$GCP_PROJECT_NAME.iam.gserviceaccount.com \ | |
| --role=roles/container.clusterViewer | |
| gcloud projects add-iam-policy-binding $GCP_PROJECT_NAME \ | |
| --member=serviceAccount:$firstName-gkeaccess@$GCP_PROJECT_NAME.iam.gserviceaccount.com \ | |
| --role=roles/container.developer | |
| echo "Generating service account key for $firstName" | |
| #TODO Check whether the service account already has keys and if so, no need to generate new ones | |
| gcloud iam service-accounts keys create /tmp/$firstName-gke-access.json \ | |
| --iam-account=$firstName-gkeaccess@$GCP_PROJECT_NAME.iam.gserviceaccount.com | |
| echo "Generate kubeconfig file for $firstName" | |
| gcloud auth activate-service-account --key-file /tmp/$firstName-gke-access.json | |
| KUBECONFIG=/tmp/$firstName-kubeconfig gcloud container clusters get-credentials $GKE_CLUSTER_NAME --zone $GKE_CLUSTER_ZONE | |
| KUBECONFIG=/tmp/$firstName-kubeconfig kubectl create namespace $firstName | |
| KUBECONFIG=/tmp/$firstName-kubeconfig kubectl config set-context --current --namespace=$firstName | |
| done <$USER_LIST_FILENAME | |
| #TODO Email each user their Service Account key and kubeconfig file | |
| gcloud config set account $PARENT_ACCOUNT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment